From c59e9209eb18d2797c677492f040ab73ade3fd97 Mon Sep 17 00:00:00 2001 From: Pete Batard Date: Mon, 19 Jun 2023 00:04:08 +0200 Subject: [PATCH] [uefi] factorize SkuSiPolicy.p7b copying code and apply it for Windows To Go * Also don't forget to credit the original authors of the PowerShell gist we derived our code from! --- src/format.c | 13 +------------ src/license.h | 5 +++++ src/pki.c | 3 +++ src/rufus.h | 1 + src/rufus.rc | 10 +++++----- src/wue.c | 25 +++++++++++++++++++++++++ 6 files changed, 40 insertions(+), 17 deletions(-) diff --git a/src/format.c b/src/format.c index 02e5329b..fb571902 100644 --- a/src/format.c +++ b/src/format.c @@ -1908,19 +1908,8 @@ DWORD WINAPI FormatThread(void* param) FormatStatus = ERROR_SEVERITY_ERROR|FAC(FACILITY_STORAGE)|APPERR(ERROR_CANT_PATCH); } } - } else if ((target_type == TT_UEFI) && IS_WINDOWS_1X(img_report) && pe256ssp_size > 0) { - // Copy this system's SkuSiPolicy.p7b to the target drive so that UEFI bootloaders - // revoked by Windows through WDAC policy do get flagged as revoked. - char src[MAX_PATH], dst[MAX_PATH]; - struct __stat64 stat64 = { 0 }; - static_sprintf(src, "%s\\SecureBootUpdates\\SKUSiPolicy.p7b", system_dir); - static_sprintf(dst, "%s\\efi\\microsoft\\boot\\SKUSiPolicy.p7b", drive_name); - if ((_stat64U(dst, &stat64) != 0) && (_stat64U(src, &stat64) == 0)) { - uprintf("Copying: %s (%s) (from %s)", dst, SizeToHumanReadable(stat64.st_size, FALSE, FALSE), src); - if (!CopyFileU(src, dst, TRUE)) - uprintf(" Error writing file: %s", WindowsErrorString()); - } } + CopySKUSiPolicy(drive_name); if ( (target_type == TT_BIOS) && HAS_WINPE(img_report) ) { // Apply WinPE fixup if (!SetupWinPE(drive_name[0])) diff --git a/src/license.h b/src/license.h index 884f8882..f01d407b 100644 --- a/src/license.h +++ b/src/license.h @@ -134,6 +134,11 @@ const char* additional_copyrights = "https://github.com/u-boot/u-boot\\line\n" "GNU General Public License (GPL) v2 or later\\line\n" "\\line\n" +"SkuSiPolicy.p7b parsing derived from:\\line\n" +"https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e\\line\n" +"by Matthew Graeber, with contributions by James Forshaw\\line\n" +"BSD 3-Clause\\line\n" +"\\line\n" "About and License dialogs inspired by WinSCP by Martin Prikryl\\line\n" "https://winscp.net/\\line\n" "GNU General Public License (GPL) v3 or later\\line\n" diff --git a/src/pki.c b/src/pki.c index 131a3393..887afbcf 100644 --- a/src/pki.c +++ b/src/pki.c @@ -792,6 +792,9 @@ out: return r; } +// The following SkuSiPolicy.p7b parsing code is derived from: +// https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e +// by Matthew Graeber, with contributions by James Forshaw. BOOL ParseSKUSiPolicy(void) { char path[MAX_PATH]; diff --git a/src/rufus.h b/src/rufus.h index 14b66d46..7705d2a7 100644 --- a/src/rufus.h +++ b/src/rufus.h @@ -643,6 +643,7 @@ extern BOOL ExtractAppIcon(const char* filename, BOOL bSilent); extern BOOL ExtractDOS(const char* path); extern BOOL ExtractISO(const char* src_iso, const char* dest_dir, BOOL scan); extern int64_t ExtractISOFile(const char* iso, const char* iso_file, const char* dest_file, DWORD attributes); +extern BOOL CopySKUSiPolicy(const char* drive_name); extern BOOL HasEfiImgBootLoaders(void); extern BOOL DumpFatDir(const char* path, int32_t cluster); extern char* MountISO(const char* path); diff --git a/src/rufus.rc b/src/rufus.rc index 6502ea7b..df17d236 100644 --- a/src/rufus.rc +++ b/src/rufus.rc @@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL IDD_DIALOG DIALOGEX 12, 12, 232, 326 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_ACCEPTFILES -CAPTION "Rufus 4.2.2052" +CAPTION "Rufus 4.2.2053" FONT 9, "Segoe UI Symbol", 400, 0, 0x0 BEGIN LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP @@ -392,8 +392,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 4,2,2052,0 - PRODUCTVERSION 4,2,2052,0 + FILEVERSION 4,2,2053,0 + PRODUCTVERSION 4,2,2053,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -411,13 +411,13 @@ BEGIN VALUE "Comments", "https://rufus.ie" VALUE "CompanyName", "Akeo Consulting" VALUE "FileDescription", "Rufus" - VALUE "FileVersion", "4.2.2052" + VALUE "FileVersion", "4.2.2053" VALUE "InternalName", "Rufus" VALUE "LegalCopyright", "© 2011-2023 Pete Batard (GPL v3)" VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html" VALUE "OriginalFilename", "rufus-4.2.exe" VALUE "ProductName", "Rufus" - VALUE "ProductVersion", "4.2.2052" + VALUE "ProductVersion", "4.2.2053" END END BLOCK "VarFileInfo" diff --git a/src/wue.c b/src/wue.c index ccf8b2af..e95c925c 100644 --- a/src/wue.c +++ b/src/wue.c @@ -473,6 +473,29 @@ out: return ((img_report.win_version.major != 0) && (img_report.win_version.build != 0)); } +// Copy this system's SkuSiPolicy.p7b to the target drive so that UEFI bootloaders +// revoked by Windows through WDAC policy do get flagged as revoked. +BOOL CopySKUSiPolicy(const char* drive_name) +{ + BOOL r = FALSE; + char src[MAX_PATH], dst[MAX_PATH]; + struct __stat64 stat64 = { 0 }; + + if ((target_type != TT_UEFI) || !IS_WINDOWS_1X(img_report) || pe256ssp_size == 0) + return r; + + static_sprintf(src, "%s\\SecureBootUpdates\\SKUSiPolicy.p7b", system_dir); + static_sprintf(dst, "%s\\efi\\microsoft\\boot\\SKUSiPolicy.p7b", drive_name); + if ((_stat64U(dst, &stat64) != 0) && (_stat64U(src, &stat64) == 0)) { + uprintf("Copying: %s (%s) (from %s)", dst, SizeToHumanReadable(stat64.st_size, FALSE, FALSE), src); + r = CopyFileU(src, dst, TRUE); + if (!r) + uprintf(" Error writing file: %s", WindowsErrorString()); + } + + return r; +} + /// /// Checks which versions of Windows are available in an install image /// to set our extraction index. Asks the user to select one if needed. @@ -687,6 +710,8 @@ BOOL SetupWinToGo(DWORD DriveIndex, const char* drive_name, BOOL use_esp) FormatStatus = ERROR_SEVERITY_ERROR | FAC(FACILITY_STORAGE) | APPERR(ERROR_ISO_EXTRACT); } + CopySKUSiPolicy((use_esp) ? ms_efi : drive_name); + UpdateProgressWithInfo(OP_FILE_COPY, MSG_267, wim_proc_files + 2 * wim_extra_files, wim_nb_files); // Setting internal drives offline for Windows To Go is crucial if, for instance, you are using ReFS